Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-24177-7_23

2015-01-01

Abstract:While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts.We proceed to investigate the effectiveness of these 50 policies in resisting against the primary threat to password accounts (i.e. online guessing) by testing each policy against two types of weak passwords which represent two types of online guessing. Our results show that among the total 800 test instances, 541 ones are accepted: 218 ones come from trawling online guessing attempts and 323 ones come from targeted online guessing attempts. This implies that, currently, the policies enforced in leading sites largely fail to serve their purposes, especially vulnerable to targeted online guessing attacks.

Zhigong Li,Weili Han,Wenyuan Xu

2014-01-01

Abstract:Users speaking different languages may prefer different patterns in creating their passwords, and thus knowledge on English passwords cannot help to guess passwords from other languages well. Research has already shown Chinese passwords are one of the most difficult ones to guess. We believe that the conclusion is biased because, to the best of our knowledge, little empirical study has examined regional differences of passwords on a large scale, especially on Chinese passwords. In this paper, we study the differences between passwords from Chinese and English speaking users, leveraging over 100 million leaked and publicly available passwords from Chinese and international websites in recent years. We found that Chinese prefer digits when composing their passwords while English users prefer letters, especially lowercase letters. However, their strength against password guessing is similar. Second, we observe that both users prefer to use the patterns that they are familiar with, e.g., Chinese Pinyins for Chinese and English words for English users. Third, we observe that both Chinese and English users prefer their conventional format when they use dates to construct passwords. Based on these observations, we improve a PCFG (Probabilistic Context-Free Grammar) based password guessing method by inserting Pinyins (about 2.3% more entries) into the attack dictionary and insert our observed composition rules into the guessing rule set. As a result, our experiments show that the efficiency of password guessing increases by 34%.

Weili Han,Zhigong Li,Lang Yuan,Wenyuan Xu

DOI: https://doi.org/10.1109/TIFS.2015.2490620

2016-01-01

Abstract:Current research on password security pays much attention on users who speak Indo-European languages (English, Spanish, and so on), and thus the countermeasures are heavily influenced by Indo-European speakers’ choices as well. However, languages have a strong impact on passwords. Analysis without considering other languages (e.g., Chinese) might lead to some biased results, such as Chinese passwords are one of the most difficult ones to guess. We believe that such a conclusion could be biased because, to the best of our knowledge, little empirical study has examined the regional differences of passwords at a large scale, especially on Chinese passwords. In this paper, we comprehensively study the differences between passwords from Chinese and English-dominant users, leveraging over 100 million leaked and publicly available passwords from Chinese and international websites in recent years. We find that Chinese prefer digits when composing their passwords, while English-dominant users prefer letters, especially lowercase letters. However, their strength against password guessing is similar. Second, we observe that both groups of users prefer to use the patterns that they are familiar with, e.g., Chinese Pinyins for Chinese and English words for English-dominant users. In particular, since multiple input methods require various sequences of letters to enter the same Chinese characters, we evaluate the impacts of various Chinese input methods, in addition to Pinyin. Third, we observe that both Chinese and English-dominant users prefer their conventional format when they use dates to construct passwords. Based on these observations, we improve two password guessing methods: 1) probabilistic context-free grammar (PCFG)-based password guessing method and 2) Markov model-based password guessing method. For the PCFG-based method, the guessing efficiency increases by up to 48% after inserting Pinyins (about 2.3% more entries) into the attack dictionary - nd inserting the observed composition rules into the guessing rule set. For the Markov-model-based method, the guessing efficiency increases by up to 4.7% after we increase the percentage of Pinyins in the training set. Our research sheds light on understanding the impact of regional patterns on passwords.

Ding Wang,Haibo Cheng,Ping Wang,Xinyi Huang,Chao-Hsien Chu

2016-01-01

Abstract:While the computer security world has changed a lot over the last two decades, textual passwords remain the dominant authentication mechanism over the Internet and are likely to persist in the foreseeable future. Much attention (e.g., user surveys and empirical analysis) has been paid to passwords chosen by English users, yet relatively little is known about how nonEnglish users select passwords. In this work, we conduct so far the first user survey on the password behaviors of Chinese users, revealing a number of users’ basic coping strategies for managing passwords when they are confronted with the demanding tasks of keeping track of many accounts and passwords. We further perform an empirical analysis of 100 million Chinese web passwords in a comparison with 30 million English ones, a corpus among the largest ones ever studied. We identify a number of interesting structural and semantic characteristics in Chinese passwords, and also examine their security by employing two state-of-the-art password cracking techniques (i.e., probabilistic context-free grammars (PCFG) and Markov models). Particularly, our cracking results reveal a “reversal principle”: when the guess number allowed is small, Chinese passwords are much weaker than their English counterparts, yet this relationship will be reversed when the guess number is large. This well reconciles two conflicting claims about the strength of Chinese web passwords made by Bonneau in 2012 and Li et al. in 2014, respectively. At 10 guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is from 33.2% to 49.8%, indicating that our attack can crack 92% to 188% more passwords than the best record reported by Li et al. in 2014. We also discuss the implications of our findings. This work is expected to help facilitate both security administrators and users to gain a better understanding of the vulnerability of Chinese passwords, as well as to shed light on future password research.

Suood Alroomi,Frank Li

DOI: https://doi.org/10.48550/arXiv.2309.03384

2023-09-06

Cryptography and Security

Abstract:Researchers have extensively explored how password creation policies influence the security and usability of user-chosen passwords, producing evidence-based policy guidelines. However, for web authentication to improve in practice, websites must actually implement these recommendations. To date, there has been limited investigation into what password creation policies are actually deployed by sites. Existing works are mostly dated and all studies relied on manual evaluations, assessing a small set of sites (at most 150, skewed towards top sites). Thus, we lack a broad understanding of the password policies used today. In this paper, we develop an automated technique for inferring a website's password creation policy, and apply it at scale to measure the policies of over 20K sites, over two orders of magnitude (135x) more sites than prior work. Our findings identify the common policies deployed, potential causes of weak policies, and directions for improving authentication in practice. Ultimately, our study provides the first large-scale understanding of password creation policies on the web.

Ding Wang,Ping Wang,Debiao He,Yuan Tian

2019-01-01

Abstract:Much attention has been paid to passwords chosen by English speaking users, yet only a few studies have examined how non-English speaking users select passwords. In this paper, we perform an extensive, empirical analysis of 73.1 million real-world Chinese web passwords in comparison with 33.2 million English counterparts. We highlight a number of interesting structural and semantic characteristics in Chinese passwords. We further evaluate the security of these passwords by employing two state-of-the-art cracking techniques. In particular, our cracking results reveal the bifacial-security nature of Chinese passwords. They are weaker against online guessing attacks (i.e., when the allowed guess number is small, 1 similar to 10(4)) than English passwords. But out of the remaining Chinese passwords, they are stronger against offline guessing attacks (i.e., when the guess number is large, >10(5)) than their English counterparts. This reconciles two conflicting claims about the strength of Chinese passwords made by Bonneau (IEEE S&P'12) and Li et al. (Usenix Security'14 and IEEE TIFS'16). At 10(7) guesses, the success rate of our improved PCFG-based attack against the Chinese datasets is 33.2%similar to 49.8%, indicating that our attack can crack 92% to 188% more passwords than the state of the art. We also discuss the implications of our findings for password policies, strength meters and cracking.

Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

Ping Wang,Ding Wang,Xinyi Huang

DOI: https://doi.org/10.7544/issn1000-1239.2016.20160483

2016-01-01

Abstract:Identity authentication is the first line of defense for information systems ,and passwords are the most widely used authentication method .Though there are a number of issues in passwords regarding security and usability , and various alternative authentication methods have also been successively proposed , password‐based authentication will remain the dominant method in the foreseeable future due to its simplicity ,low cost and easiness to change .T hus ,this topic has attracted extensive interests from worldwide researchers ,and many important results have been revealed .This work begins with the introduction of users’ vulnerable behaviors and details the password characteristics ,distribution and reuse rate .Next we summarize the primary cracking algorithms that have appeared in the past 30 years , and classify them into groups in terms of the difference in dependence on what information is exploited by the attacker .Then ,we revisit the various statistical‐based evaluation metrics for measuring the strength of password distributions .Further ,we compare the state‐of‐the‐art password strength meters .Finally ,we summarize our results and outline some future research trends .

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-45744-4_6

2016-01-01

Abstract:Textual passwords are perhaps the most prevalent mechanism for access control over the Internet. Despite the fact that human-beings generally select passwords in a highly skewed way, it has long been assumed in the password research literature that users choose passwords randomly and uniformly. This is partly because it is easy to derive concrete (numerical) security results under the uniform assumption, and partly because we do not know what's the exact distribution of passwords if we do not make a uniform assumption. Fortunately, researchers recently reveal that user-chosen passwords generally follow the Zipf's law, a distribution which is vastly different from the uniform one.In this work, we explore a number of foundational security implications of the Zipf-distribution assumption about passwords. Firstly, we how the attacker's advantages against password-based cryptographic protocols (e.g., authentication, encryption, signature and secret share) can be 2-4 orders of magnitude more accurately captured (formulated) than existing formulation results. As password protocols are the most widely used cryptographic protocols, our new formulation is of practical significance. Secondly, we provide new insights into popularity-based password creation policies and point out that, under the current, widely recommended security parameters, usability will be largely impaired. Thirdly, we show that the well-known password strength metric a-guesswork, which was believed to be parametric, is actually non-parametric in two of four cases under the Zipf assumption. Particularly, nine large-scale, real-world password datasets are employed to establish the practicality of our findings.

Gilbert Notoatmodjo,Clark D. Thomborson

2009-01-01

Abstract:The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

Shukun Yang,Shouling Ji,Raheem Beyah

DOI: https://doi.org/10.1109/tifs.2017.2737971

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:To keep password users from creating simple and common passwords, major websites and applications provide a password-strength measure, namely a password checker. While critical requirements for a password checker to be stringent have prevailed in the study of password security, we show that regardless of the stringency, such static checkers can leak information and actually help the adversary enhance the performance of their attacks. To address this weakness, we propose and devise the Dynamic Password Policy Generator, namely DPPG, to be an effective and usable alternative to the existing password strength checker. DPPG aims to enforce an evenly-distributed password space and generate dynamic policies for users to create passwords that are diverse and that contribute to the overall security of the password database. Since DPPG is modular and can function with different underlying metrics for policy generation, we further introduce a diversity-based password security metric that evaluates the security of a password database in terms of password space and distribution. The metric is useful as a countermeasure to well-crafted offline cracking algorithms and theoretically illustrates why DPPG works well.

Ding Wang,Gaopeng Jian,Ping Wang

2015-01-01

Abstract:Despite more than thirty years of intensive research efforts, textual passwords are still enveloped in mysterious veils. In this work, we make a substantial step forward in understanding the underlying distributions of passwords. By conducting linear regressions on a corpus of 97.2 million passwords (a mass of chaotic data), we for the first time show that Zipf ’s law perfectly exists in user-generated passwords, figure out the corresponding exact distribution functions, and investigate some fundamental implications of our observations for password policies and password-based cryptographic protocols (e.g., authentication, encryption and signature). As one specific application of this law of nature, we propose the number of unique passwords used in regression and the absolute value of slope of the regression line together as a metric for assessing the strength of password datasets, and prove its correctness in a mathematically rigorous manner. In addition, extensive experiments (including optimal attacks, simulated optimal attacks and state-of-the-art cracking sessions) are performed to demonstrate the practical effectiveness of our metric. In two of four cases, our metric outperforms Bonneau’s α-guesswork in simplicity and to the best of knowledge, it is the first one that is both easy to approximate and accurate to facilitate comparisons, providing a useful tool for the security administrators to gain a precise grasp of the strength of their password datasets and to adjust the password policies more reasonably.

WANG Jun

DOI: https://doi.org/10.3969/j.issn.1009-3044.2012.23.013

2012-01-01

Abstract:Along with the social informatization is getting higher and higher,the data stored in the DBMS to security requirements are also gradually improve.Systems generally will require the user to input the password,that is,by setting a password to protect the security of the database.It’s talking about commonly used methods of password analysis about database encryption.It’s obvious that encryption algorithm has been greatly enhanced in the new version through to the contrast analysis between an encrypted database of Access 2003 and an encrypt ed database of Access 2010,improved the password security of Access 2010.

Ding Wang,Gaopeng Jian,Ping Wang

2014-01-01

Abstract:Despite more than thirty years of intensive research efforts, textual passwords are still enveloped in mysterious veils. In this work, we make a substantial step forward in understanding the underlying distributions of passwords. By conducting linear regressions on a corpus of 97.2 million passwords (a mass of chaotic data), we for the first time show that Zipf’s law perfectly exists in user-generated passwords, figure out the corresponding exact distribution functions, and investigate some fundamental implications of our observations for password policies and password-based cryptographic protocols (e.g., authentication, encryption and signature). As one specific application of this law of nature, we propose the number of unique passwords used in regression and the absolute value of slope of the regression line together as a metric for assessing the strength of password datasets, and prove its correctness in a mathematically rigorous manner. In addition, extensive experiments (including optimal attacks, simulated optimal attacks and state-of-the-art cracking sessions) are performed to demonstrate the practical effectiveness of our metric. In two of four cases, our metric outperforms Bonneau’s α-guesswork in simplicity and to the best of knowledge, it is the first one that is both easy to approximate and accurate to facilitate comparisons, providing a useful tool for the security administrators to gain a precise grasp of the strength of their password datasets and to adjust the password policies more reasonably.

Daojing He,Zhiyong Liu,Shanshan Zhu,Sammy Chan,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2024.3367323

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Continuously preventing weak password attacks is one of the most important initiatives to secure IoT and smart contract platforms. Despite their significance as crucial components of passwords, special character segments have been overlooked. This study systematically studies the basic characteristics and semantic patterns of special character segments. We assess the efficacy of special character segment characteristics in cracking trials through assimilation into the latest Probabilistic Context-Free Grammar (PCFGv4) method for password cracking by updating the pre-terminal structure or performing special character segment transformation. Experimental findings demonstrate that a mere 6% transformation rate improves the cracking rate by 3.72% under the optimal assimilation combination. Our investigation reveals that the current password creation policies of mainstream IoT platforms and smart contract wallets overestimate the strength of passwords with special characters. To enhance their passwords, users can employ low-frequency special character semantic strings. For IoT platforms or smart contract wallets, the use of blacklist constructed from special character segment characteristics can effectively mitigate the risk of overestimating the strength of passwords with special characters.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weili Han,Zhigong Li,Minyue Ni,Guofei Gu,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2016.2568187

2018-01-01

Abstract:With the proliferation of websites, the security level of password-protected accounts is no longer purely determined by individual ones. Users may register multiple accounts on the same site or across multiple sites, and these passwords from the same users are likely to be the same or similar. As a result, an adversary can compromise the account of a user on a web forum, then guess the accounts of the same user in sensitive accounts, e.g. , online banking services, whose accounts could have the same or even stronger passwords. We name this attack as the shadow attack on passwords. To understand the situation, we examined the state-of-the-art Intra-Site Password Reuses (ISPR) and Cross-Site Password Reuses (CSPR) based on the leaked passwords from the biggest Internet user group (i.e., 668 million members in China). With a collection of about 70 million real-world web passwords across four large websites in China, we obtained around 4.6 million distinct users who have multiple accounts on the same site or across different sites. We found that for the users with multiple accounts in a single website, $59.72$ percent reused their passwords and for the users with multiple accounts on multiple websites, $33.16 \pm 8.91$ percent reused their passwords across websites. For the users that have multiple accounts but different passwords, the set of passwords of the same user exhibits patterns that can help password guessing: a leaked weak password reveals partial information of a strong one, which degrades the strength of the strong one. Given the aforementioned findings, we conducted an experiment and achieved a 39.38 percent improvement of guessing success rate with John the Ripper guessing tool. To the best of our knowledge, we are the first to provide a large-scale, empirical, and quantitative measurement of web password reuses, especially ISPR, and shed light on the severity of such threat in the real world.

Hazel Murray,David Malone

DOI: https://doi.org/10.1109/ISSC.2017.7983609

2017-10-27

Abstract:Password advice is constantly circulated by standards agencies, companies, websites and specialists. But there appears to be great diversity in terms of the advice that is given. Users have noticed that different websites are enforcing different restrictions. For example, requiring different combinations of uppercase and lowercase letters, numbers and special characters. We collected password advice and found that the advice distributed by one organization can directly contradict advice given by another. Our paper aims to illuminate interesting characteristics for a sample of the password advice distributed. We also create a framework for identifying the costs associated with implementing password advice. In doing so we identify a reason for why password advice is often both derided and ignored.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Bo Lu,Xiaokuan Zhang,Ziman Ling,Yinqian Zhang,Zhiqiang Lin

DOI: https://doi.org/10.1145/3274694.3274714

2018-12-03

Abstract:Text passwords remain a primary means for user authentication on modern computer systems. However, recent studies have shown the promises of guessing user passwords efficiently with auxiliary information of the targeted accounts, such as the users' personal information, previously used passwords, or those used in other systems. Authentication rate-limiting mechanisms, such as account lockout and login throttling, are common methods to defeat online password cracking attacks. But to date, no published studies have investigated how authentication rate-limiting is implemented by popular websites. In this paper, we present a measurement study of such countermeasures against online password cracking. Towards this end, we propose a black-box approach to modeling and validating the websites' implementation of the rate-limiting mechanisms. We applied the tool to examine all 182 websites that we were able to analyze in the Alexa Top 500 websites in the United States. The results are rather surprising: 131 websites (72%) allow frequent, unsuccessful login attempts without account lockout or login throttling (though some of these websites force the adversary to lower the login frequency or constantly change his IP addresses to circumvent the rate-limiting enforcement). The remaining 51 websites are not absolutely secure either: 28 websites may block a legitimate user with correct passwords when the account is locked out, effectively enabling authentication denial-of-service attacks.

Yubing Bao,Jianping Zeng,Jirui Yang,Ruining Yang,Zhihui Lu

DOI: https://doi.org/10.1145/3703350

IF: 2.717

2024-01-01

ACM Transactions on Privacy and Security

Abstract:The predominant authentication method still relies on usernames and passwords. To enhance memorability, domain terms may have been opted to include as part of passwords. However, there is little analysis of the extent to which such practice affects password security, so there is a lack of guidance on how users use domain terms on websites with different domain characteristics. To address the problem, we propose a novel approach to analyze the security effect of using domain terms in passwords. The methodology primarily consists of three stages. Firstly, we utilize Web crawlers to harvest domain vocabularies, subsequently leveraging the TextRank algorithm to rank their importance. Afterward, we propose an algorithm for constructing a simulated domain-specific password dataset by replacing password elements with domain terms. Finally, password guessing experiments are done on the dataset using PCFG and Markov model to evaluate the impact of domain terms on password security. The experimental results indicate that, for systems without clear domain, 20% domain terms replacement in the test set can reduce the cracking rate by up to 5.45%. In contrast, for domain-specific systems, 20% domain terms replacement in the training set can increase the cracking rate by 6.45%. These findings provide practical guidance on the application of domain knowledge in password creation for different types of systems. In summary, this study offers a novel perspective for exploring the security implications of passwords influenced by specific domains.